b'        IT Security Certification and\n           Accreditation Process\n\n                         EXECUTIVE SUMMARY\nAn Office of Inspector General (OIG) contractor (ECS) evaluated the ACTS Plus and\nEFOIA applications as part of the OIG\xe2\x80\x99s fiscal year 2005 review under the Federal\nInformation Security Management Act (FISMA). These applications were chosen for\nreview because they had been certified and accredited (C&A) this year.\nThe Office of Management and Budget (OMB) has asked agency Inspector Generals\nto assess their agency\xe2\x80\x99s certification and accreditation process. Based on our review\nof two Commission systems, we identified several needed improvements in the\nCommission\xe2\x80\x99s C&A process. These concerned the independence of the certification\nagent, certifying and accrediting the general infrastructure support system (GSS),\nand improvements to the evaluation process and tracking of Plans of Action and\nMilestones (POA&Ms).\nECS briefed Commission management on its detailed findings and\nrecommendations. Management promptly began to consider appropriate corrective\nmeasures as a result of the identified findings.\n\n\n\n                     OBJECTIVES AND SCOPE\nOur objective was to determine if the C&A process used by the Commission met\nFISMA requirements and OMB and National Institute of Standards and Technology\n(NIST) standards.\nDuring the review, the contractor interviewed Commission staff, reviewed the\napplications\xe2\x80\x99 security and certification documentation, and analyzed the extent of\ncompliance with applicable standards. ACTS Plus and EFOIA were the sample.\nThe audit was performed in accordance with generally accepted government\nauditing standards between July and September, 2005.\n\n\n\n\nIT Security Certification and Accreditation Process\xe2\x80\x94Audit No. 411   September 30, 2005\n\x0c                                 BACKGROUND\nAccreditation is the official management decision given by a senior agency official to\nauthorize operation of an IT system. It involves explicitly accepting the risk to\nagency operations, assets, or individuals based on the implementation of an agreed-\nupon set of security controls.\nThe supporting evidence needed for security accreditation is developed through a\ndetailed security review of the IT system, referred to as security certification.\nCertification determines the extent to which controls are implemented correctly,\noperating as intended, and meet the system security requirements. Certification\nand accreditation of major IT systems are required by FISMA, and are performed\nunder standards issued by OMB and NIST.\n\n\n\n                                AUDIT RESULTS\nWe found that security certification and accreditation at the Commission needed to\nbe improved and brought into compliance with OMB and NIST standards,\nparticularly regarding the independence of the certification agent. In addition, the\ncertification of ACTS Plus and EFOIA depended on the certification of the general\ninfrastructure support system (GSS), which had not yet occurred. The processes for\nthe security test and evaluation (ST&E) and the Plans of Action and Milestones\n(POA&Ms) also needed improvement.\nThe contractor prepared a detailed report containing its findings and\nrecommendations. Because of the sensitivity of the detailed report, we have decided\nto issue this public report summarizing the results of our review.\n\n\n\n\nIT Security Certification and Accreditation Process\xe2\x80\x94Audit No. 411   September 30, 2005\n\x0c'